Attorney general announces settlement with travel websites after data breach – News – Ellwood City Ledger
Attorney General Josh Shapiro announced Friday his office reached a settlement with travel websites Orbitz and Expedia following an investigation into a 2018 data breach.
HARRISBURG — Attorney General Josh Shapiro announced Friday his office reached a settlement with travel websites Orbitz and Expedia following an investigation into a 2018 data breach.
Orbitz disclosed in March 2018 that the breach may have exposed data for 20,755 Pennsylvania customers, including 880,000 payment cards globally. Expedia acquired Orbitz and its assets September 2015.
The investigation found a hacker had evaded security detection and built malware that targeted payment cards. A business partner of Orbitz notified the company of possible common point of purchase in connection with fraudulent transactions, according to a release Friday.
“Just like that, someone broke into Orbitz’ IT system and vacationed in what was supposed to be a safe place for travelers. The breach showed the company’s promise to keep customer information secure was more like a leaky boat,” Shapiro said in a release. “We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself.”
The Assurance of Voluntary Compliance alleges Orbitz violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by making misrepresentations in its customer-facing privacy policy about the safeguarding of its customer’s personal information and failing to fully implement Expedia’s company policies related to data security, according to a release. In addition, multiple Payment Card Industry Data Security Standards requirements were not in place at the time of the breach.
Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty. Expedia and Orbitz have also agreed to strengthen their security practices going forward by doing the following:
• Implementing a comprehensive information security program on the Orbitz website
• Conducting annual comprehensive risk assessment
• Developing a plan and program for designing, implementing, and operating safeguards
• Performing regular security monitoring, logging and testing
• Employing improved access control and account management tools
• Reorganizing and segmenting its network
• Complying with Payment Card Industry Data Security Standards
To better protect consumers’ personal data against identity thieves, Shapiro’s office suggests the following tips to minimize your odds of being victimized:
• Password protect all your electronic devices
• Avoid using the same password for all your electronic devices and financial accounts
• Avoid clicking on suspicious links in emails or text messages
• Never give out your personal information to someone who calls you posing as a bank or credit card company employee — legitimate organizations do not call and ask for personal information
• Regularly check your credit reports
• Establish fraud alerts
Gloss